What are the things one should consider when setting the facility for a syslog client? In particular is there a difference between "4 security/authorization messages" and "10 security/authorization messages"?

1 Answer
1

The way I understand it, 4 is for general authorization messages, and 10 is for "sensitive" messages. Generally it seems like logins/changes/sudo to the local machine end up facility 10, and remote stuff like IMAP/POP logins/out seem to end up in 4. YMMV depending on what OS the syslog stream ends up.